phooky

As midnight approached this New Year’s Eve– as champagne bubbled from uncorked necks and we all prepared for the coming year in various postures of revelry or bleak resignation– I grappled silently with the pivotal question of our time: “How awesome are robots?” The answer is of course that robots are completely awesome. That settled, I resolved to build one robot a month for the duration of 2013.

Much to the chagrin of Brooklyn’s legion of artisanal slow-cooking egg-boilers, January’s robot is a an automaton for preparing soft-boiled eggs for human consumption.

This was a junkbot, assembled from various scraps that have ended up in the space over the years. Expert junkspotters will note:

The heating element and thermistor from a trashed mini-espresso machine

One 250mL beaker of questionable provenance

Some off-brand extruded aluminum

Skate bearings

A haunted steel counterweight

Lots of lasercut acrylic and delrin

Some chunks of 4×4 sliced out of the loft supports from the original NYCR location

A couple of analog servos and a DC motor from the junk drawer

One half of a L298 from a driver board I designed in 2005

Some relays from sharesville

A button from a reflow oven

Random bolts, plywood, etc.

The whole shebang was controlled by a Teensy 2.0 and powered from a bench supply (except the heating element which was run off of 120VAC, which is why the lights keep dimming during the video).

All the code and CAD files are in my Github repo, as usual. Special thanks to Charles Pax for donating the boiler from his busted coffeemaker, Eric Skiff for providing the tunes for the video, Nick Farr for a last-minute game-changing special Club Mate delivery, and everyone at NYCR for indulging my little robot habit.

Heading to Toorcamp? Take a second to cast around your hackerspace, workshop, or trash heap and grab any interesting-looking ROMs you come across (or just any sufficiently interesting/old PCBs). I’ll be there with one of Trammell’s incredible super-tiny readers, a soldering iron, and unfathomable patience to help you perform some digital archaeology and light necromancy.

Last week I posted a screed about that peculiarly modern variant of grave-robbing, ROM-dumping. That was the Why; this post is the How.

Dumping the contents of a ROM onto your computer is surprisingly simple. All you need to get started is:

An Arduino Mega or similar board[ref]I’m using a ChipKit Uno32 in the example below. An ordinary Arduino doesn’t have enough I/O pins! Sorry.[/ref] (you’ll need at least 24 I/O pins).

A breadboard

An EPROM to read

Some wires and a wire stripper

Your wits[ref]the bar for wits in this instance is pretty low. Unless you’re exceptionally addled you should be fine.[/ref]

That’s all. Gather your materials and let’s get cracking!

Step negative one: What are ROMs for?

ROM is an old term for “Read-Only Memory”. Nowadays these chips are often more correctly referred to as “non-volatile memory”, but it boils down to the same thing: they’re chips that store data even after you unplug your computer. When a digital device turns on, it effectively has amnesia. The only information it has about the world is what’s stored on its ROMs. So the first thing many devices do when they wake up is start reading instructions from a ROM. It’s like Guy Pearce’s tattoos[ref]complete with instructions about who to kill next.[/ref] for your computer.

Step zero: Find a board with a brain.

Almost any board of a certain age[ref]generally 1970-2000 or so.[/ref] which has a digital processor is likely to have a ROM of some sort on it. The easiest way to figure out whether there’s an interesting ROM on a board is to take it out and start hunting! Here’s a pile of boards from our scrap bin that are likely candidates. Let’s see what we can dig up.

Step one: Find your ROMs.

There are many types of ROM out there, but today we’ll be hunting for EPROMs. EPROM stands for “erasable programmable ROM”. [ref]How can something be “programmable” and still be considered “read only”? By giving up and calling it “non-volatile”.[/ref] They look like this:

EPROMs are erased by exposing the chip to ultraviolet light, which is why they have that distinctive quartz window you see above. However, in general it’s a bad idea to leave the window exposed like this, since over time stray UV will start to erase random bits. That’s why most EPROMs you come across will have a label over the window, like this:

Both of the labelled chips here are EPROMs. You’ll also notice that EPROMs are almost always in sockets, rather than being soldered directly to the board. This is so the data in the ROMs can be easily written or updated after the circuit boards are manufactured, and so devices can be patched or upgraded in the field. Of course, it also makes them easy for us to remove!

Another popular type of ROM is the “masked ROM”. These are true read-only memories; the data is etched on to the chip at the time they are manufactured [ref]the etching is controlled by photomasks; this is where the term “masked” comes from.[/ref] and can not be erased or updated. Because they aren’t reprogrammable, they don’t have clear windows, and usually don’t have labels. Here’s the mainboard from a Commodore 64; can you spot the ROMs?

As you can see, it’s difficult to distinguish a masked ROM from any other chip. Because they are manufactured in large quantities, they are usually silkscreened with a custom part number, and because sockets are expensive in mass-produced hardware, the chips are often soldered directly into the board. There’s only one reliable way to determine which chips are the ROMs. This is a picture of the same board taken at midnight:

It’s pretty clear which chips are the ROMs now, right? The low green phosphorescence you can see in this image appears at the witching hour due to the fact that almost all masked ROMs are haunted[ref]THIS IS COMPLETELY TRUE[/ref]. If for some reason you can’t stay up that late to identify the ROMs,[ref]you know, bedtime.[/ref] you can try to use a schematic to find them.[ref]many early computer manufacturers created extensive technical manuals for their products; a surprising number of these are available online. Be aware that schematics are also often haunted.[/ref]

Masked ROMs are clearly bad juju. Let’s stick with EPROMs.

Step two: Prepare and remove the chip.

Next, if there’s no label over the window on your EPROM, you’ll want to cover it up as soon as you can. Electrical tape works well for this. Cut a small piece and make sure the entire window is covered, as below.

You can easily pry a chip out of its socket with a flathead screwdriver. Be gentle and patient! It’s important not to bend any of the pins. Pry slowly from one side, and then the other.

If you do bend any of the pins, use some pliers to carefully straighten them out.

Step three: Identify the chip.

Now that you’ve got your ROM, the next step is to figure out exactly what sort of chip you’ve got. Read the silkscreened part number on the top of the chip. You may need to partially remove the label to see the entire part number; just be sure to keep the window covered (or cover it again with some tape once you’ve figured out the part number).

The part number is usually the topmost silkscreened text on the chip. Often you’ll see a part number that contains “27C”; this is one of the most popular types of EPROM. The chips above are all either 27C256 or 27C512 parts. The last three digits of the part numbers above– 256 and 512– represent the amount of data the chips can store in kilobits. That’s kilobits, not kilobytes, so you’ll have to divide by eight to figure out how many kilobytes the chips can store. For example, the 27C256 can store 32 kB of data.

Also, don’t forget to record any identifying information you find on the label or board! Having a pile of data is of no use if you don’t remember where it came from.

Step four: Figure out which pin is which.

EPROMs operate in a straightforward fashion. Internally, they store a number of bytes, each of which has an “address”– a unique number. There are a number of pins on the chip that are marked as address pins. You just need to set these pins high or low to indicate the binary value of the address you’re interested in. A few nanoseconds later, the chip will set another set of pins– the “data” pins– to high or low values to reflect the data that’s stored at that address. To read the contents of the ROM, all we have to do is write all the addresses in sequence to the address pins, and read the data from the data pins.

To hook up all those pins, we need to know what each physical pin on the chip does. The easiest way to get that information is to find the datasheet for the chip in question. Although these parts have been obsolete for years, datasheets describing most of them are still readily available online. Even if you can’t find a datasheet for your particular chip, you can often find one for a similar EPROM. Here are links to datasheets for the three chips shown above:

Once you have a datasheet, look for the pin diagram. It should look something like one of these:

This is a map that shows what each pin on your chip does. The pins labelled with the letter “A” are the address pins, and the pins labelled “Q” are the data pins. The chip on the left has fifteen address pins A0-A14, which correspond to the bits of a 15-bit address. The pins Q0-Q7 correspond to the bits of the data byte.

There are other pins on your chip. If you’d like to know exactly what each one does, just about every detail you’d care to know is in the data sheet. If you just want to get up and running, though, here’s a quick cheat sheet:

The “Vcc” pin is the power pin, and should be connected to +5V.

The “GND” or “Vss” pin is the ground pin, and should be connected to ground.

The “Vpp” pin is the programming voltage pin, and should be connected to +5V (unless it’s also one of the enable pins; see below).

The remaining pins labelled “E”, “OE”, “G”, “CE”, etc. are pins that enable the inputs and outputs. All you really need to know about these is that they need to be enabled, and that they are active low. This means you tell the chip to enable these pins by hooking them up to ground, not +5V. You can tell that they’re active low because they either have a hash mark (#) beside their names, or a little horizontal bar is drawn over their names.

That’s it! We now have enough information to start wiring up our circuit.

Step five: Breadboarding.

It’s time to grab your trusty breadboard, some wires, and start plugging things in. The first step is to insert your chip into the breadboard. Make sure you align the semicircle on the end of the chip with the corresponding mark on your diagram. I started out by hooking up everything that wasn’t an address or data line. In this case, Vcc and Vpp are connected to power, and everything else that’s not an address or data pin gets connected to ground.

Next, hook up the address lines to your Arduino Mega. If you want to use the program provided below, you should hook up pins A0-A15 in order to the pins 26-41 on the microcontroller. (If you need to use different pins, it’s easy to change the code, but try to keep them in order!)

Now, do the same with the data pins: hook up Q0-Q7 in order to pins 2-10 on your microcontroller.

Once you have all the pins hooked up, connect the power and ground connections on your breadboard to the +5V and GND connections on your microcontroller. That’s it! No passives, just lots of wires.

Before you plug anything in to a USB port, though, take a minute to double-check that all your connections are right. With so many wires, it’s easy to knock one loose when you’re inserting another one.

Step six: Software.

Download this Arduino sketch from github, and open it in the Arduino environment. Before you upload it to your board, read the comments and change the MAX_ADDR value to match the size of your chip (and change the Q0 and A0 values if you’re using different pin numbers than I am). Then upload away! As soon as the program starts, it will start writing the data on the EPROM to your serial port at 115200 bps. To confirm that it’s working, open the serial terminal in Arduino and press the reset button on the board. You should see a river of fast-moving hexadecimal values rush by.

Now just use your favorite serial program to capture that data to a file. Congratulations! You’ve got disk full of meaningless hieroglyphics.

Step seven: Now what?

Now it’s time to go dowsing. The bulk of the ROM probably contains binary instructions, but anything could be in there– images, fonts, screed, mysteries.

For starters, a file full of space-separated hexadecimal values isn’t really much use to anyone. Here’s a simple python script that will convert those numbers into a binary file. Once you have a binary, you might want to try opening it in a hex editor. If you know the type of processor the board is using, you might try running it through a disassembler for that processor. Disassemblers for common processors like the Z80 are readily available.

Often there are a number of strings embedded in these ROMs; you can extract these with the unix “strings” utility, or just browse through the files and see what you come up with. One of my ROMs contained the string “-Sixteen Bit Digital Audio System rev 1.32 copyright 1999 Gilderfluke & Co. DCM-“, which led me to this manual. Another has nothing but tantalizing, cryptic hints:
NORMA
ALARM
TROUBLE
AJAR
ACK REQ

Finding image or font data is a bit trickier, because while such data is often uncompressed, it can be represented in many ways. For instance, here’s a snippet of an image I generated from the ROM marked “Hebrew”, which is from an LED array control board and as expected contains both English and Hebrew glyphs:

To generate this image, I essentially just drew each byte as a “line” of eight pixels across. This would have created a very long, narrow image, so I cut up that “ribbon” of data into parts and put them side by side, creating the image above. Each character is stored as consecutive bytes in memory.

Now, let’s look at the character ROM from an Osbourne 1. What I did here is again draw out each bit as a dot, but instead of creating an 8-bit wide “ribbon”, I instead just drew each byte one after the other from left to right, wrapping when I reached 1024 pixels across:

The pixel data here is interleaved: first the first scan line of A, then B, then C, etc. through the entire font, and then the second scan line of A, B, C, etc.

Puzzling out how data like this is stored is mostly a matter of experimentation and expectation. How was the ROM used? Do you have schematics of the rest of the board, and what do they tell you? Did the device have a screen? A serial port?

Anyway, that’s the brink of the abyss. Take a gander and tell me what you see!

Hey, you know what’s great? Numbers. Everybody loves numbers! I love numbers, you love numbers. Numbers are the best. But you know who doesn’t love numbers? Laptop manufacturers, who are horrible trolls with hearts of coal. They are so opposed to everything good and right in this world that they have completely eliminated numeric keypads from modern laptops. This is because they are the enemies of numbers, and of fun.

But that doesn’t mean you have to resign yourself to a miserable life of hand cramps and slow data entry! PJRC has a great USB HID implementation for the Teensy that makes it simple to make a keyboard out of just about anything… even a thirty year old piece of lab equipment.

All the code is up at github. EXTRA ARCHAISM BONUS: I’ve converted the character bitmap data from the Waters 600E firmware into a BDF font. You can snag it here!

CHANGING TO ISOCRATIC MODE OF
OPERATION ABORTS GRADIENT AND LEAVES
EVENTS IN THEIR CURRENT STATE
There are incoherent, mumbling ghosts everywhere. A lot of the time they look like this.

These are 80’s-era erasable programmable read-only memories, or EPROMs. They were an immensely popular way to store firmware for embedded systems when the production run size or schedule didn’t make it economical to use less expensive masked ROMs. Then cheap EEPROM hit the market, and EPROMs all but disappeared from devices within half a decade.

TABLE LINE TABLE SAVE HELP
First vial greater than last vial.
End of table.
Table is full.

If you peel back the label on an EPROM, you can look through the magic window and see the ghosts.

The magic window is made of quartz, and permits ultraviolet light to shine through and erase the chip. Often if you find an old EPROM with the window exposed, it’s too late. The chip has been exposed to enough ambient UV to erase a few bits here and there– bit rot. If the label’s still covering the window, though, it’s easy enough to read out the information. These chips were everywhere, and datasheets for most are still available online.

The chips in the topmost image are from an old piece of lab equipment. They store 64KB each, and all you need to do to read them is to write a memory address to the address lines and read the result on the data lines. You can hook one up to an Arduino (or in this case a ChipKit Uno32– sorry, Arduino, you just don’t have enough pins!) in about ten minutes and write a quick program to copy the contents to the serial connection. In half an hour I had the contents of all three chips on my laptop. Hooray?

Which brings up the question of why you’d even want to bother to begin with. This is the firmware for an obsolete solvent control system running on a Motorolla 68000 microprocessor, obscurity on obscurity on obscurity. Who’s ever going to need it anyway? Why save the bits?

Gradient and event tables
to be executed simultaneously.
# GIVE ME SOME HELP
Number Out of Range

For the same reasons we record any history: because someday it may prove to be useful, and because someday it may prove to be beautiful. And even if it’s neither, at least it’s fun to poke around. Just pulling the strings out of the binaries yields odd puzzles. For instance, what is this snippet of BASIC code doing here?

Storage on this scale is approximately free. Who knows what data some future historian (or Chris Fenton) will need? Maybe you’ll find something fascinating or hilarious or clever tucked in a corner somewhere. Or maybe you’ll just learn a bit more about how the technology all around you works.

Did you manage to get tickets to Burning Man this year? Seriously? Congratulations! Now light them on fire and get your ass to ToorCamp instead.

There are plenty of prescriptions for summertime fun. You can go to a water park! You can play frisbee! You can have some beers and grill up some grub! Or you can slap on a hard hat, head out to the desert, and build robots in an abandoned Titan-1 missile silo, which is exactly what a few of us did back in 2009 for the last ToorCamp in eastern Washington state. To say that a fine time was had by all would be a mammoth, jaw-dropping understatement.

ToorCamp is Burning Man with less drugs and more hacking. This summer ToorCamp will take place on the northwest corner of the staggeringly beautiful Olympic Peninsula. Just get yourself out there!

There’s a common misconception the NYCR is only for electrical experimentation, but nothing could be further from the truth. For example, take this, the latest in our series of ectoplasmic investigations.